Zero Trust in the Context of Browser Security - July 16th
Icon Rounded Closed - BRIX Templates

HEAT Attacks: Evading email security tools


People are working from home more than ever — and it’s going to stay that way long after the pandemic has passed. According to this Mercer study, 70 percent of responding companies said they would be adopting a hybrid office/remote work model. These companies are doing so for good reasons. Nearly 60 percent of worker respondents to this FlexJobs survey said that they would absolutely go looking for a new place to work if they couldn’t continue working remotely.

What does this mean for enterprise cybersecurity? It means attackers will focus on where remote staff tend to concentrate and work: in their web browser. The web browser has evolved from a simple interface to browse websites to a sophisticated productivity tool that workers rely on to collaborate and access business-critical apps—yet web security has largely remained the same. Designed for a time when most attacks were delivered via email or physical media such as floppy disks or USB thumb drives, the detection-based network and endpoint security tools many organizations rely on, such as Secure Web Gateways (SWGs), firewalls and sandboxes, are quickly becoming outdated.

Cyberattackers are taking advantage of this security lapse with credential phishing attacks — which are involved in over 90 percent of all cyberattacks — that leverage Highly Evasive Adaptive Threat (HEAT) techniques, such as Legacy URL Reputation Evasion (LURE), to sidestep traditional security technology. When it comes to phishing attacks, threat actors do everything they can to sidestep malicious URL-link analysis engines, which are traditionally implemented within email to analyze links before the user even sees them. Attackers’ strategies are proving successful. The Menlo Labs research team has observed a 224 percent increase in HEAT attacks in the second half of 2021. In many cases, these attacks led to the delivery of ransomware.

Broadly, phishing attacks involve deceitful communications that trick users into thinking that they’re interacting with a reputable person or company. Historically, phishing attacks have been delivered through email. These emails typically try to trick users into clicking a malicious link by utilizing some form of general social engineering technique, exploiting the trust that the victim has with the brand or person impersonated in the communication. In spear-phishing attacks, the attacker researches their targeted victims and learns their likes, desires, and other aspects of their lives that can be used to lure the target in or lull them into complacency.

Now, threat actors are increasingly taking this approach outside the realm of email phishing. With HEAT attacks, users are targeted (or speared) with malicious links via communication channels beyond email, such as social media and professional web networks, collaboration applications, SMS, shared documents, shared folders, and more. These malicious links are increasingly used to steal corporate credentials instead of personal credentials in order to bypass corporate security and deliver malware to corporate endpoints.

A game of escalation and tactics

The challenge for attackers is that enterprises keep improving their email security and actively scan for malware and malicious links in these channels. Additionally, business-savvy users and staff (who know they are targets, thanks to security awareness training) are more careful about clicking on emails when they aren’t entirely sure of their safety. Yes, people still slip. And yes, many employees are still not cautious about what links they click on, and they get themselves into trouble. Yet, more people are growing careful, especially more sophisticated, adequately trained, and aware users.

People tend to trust social media contacts more, so attackers have gravitated there — so much so that the Federal Trade Commission issued a warning that scams starting on social media proliferated in early 2020. Users are also actively engaging on these platforms as they seek work-related content to read or watch, as well as information about industry conferences, jobs, and more. As they’re actively clicking, they’re more likely to click on something they shouldn’t.

As we covered in Too hot to handle: Why modern work has given rise to HEAT attacks, a recent attack campaign consisted of attackers leveraging spear-phishing with the messaging capabilities of LinkedIn. These attackers coaxed users with bogus job opportunities that were malicious links designed to compromise their endpoints with malware that would give the attackers complete control over their target’s computer or device. Attackers are increasingly doing so with impersonation websites for brands that users trust.

These attacks hit the web browser, bypassing all the traditional email security defenses that enterprises have in place.

Sidestepping traditional malicious link analysis

This is yet another way threat actors leverage HEAT attacks against organizations. They’re evading malicious link analysis engines that are typically deployed to protect email by analyzing all of the links before passing them along to their people. With HEAT attacks designed to bypass link analysis engines, users are targeted in other areas of communication, such as social media sites and their messaging platforms, communication platforms such as Discord or Slack, SMS, and more. When clicked, these links are just like the links used in typical email phishing attacks — they’re designed to steal login credentials or distribute malware.

Attackers can also use the information on LinkedIn and what users post on Facebook or Twitter to obtain special knowledge that can be used to connect to the targeted victims and build relationships over time. The attacks are effective because they’re quick and can be made personal — seemingly more connected to the user.

Threat actors can also strategically combine HEAT attacks, such as by launching HTML smuggling attacks that we detailed in our article about how attackers evade file-based inspection. By combining such HEAT tactics, digital marauders increase their odds of successfully bypassing traditional security controls and technologies such as SWGs and email monitoring engines.

While email remains the primary attack vector (for now), these HEAT attacks designed to bypass traditional defenses–such as malicious link analysis–are increasing. Security teams that lack the visibility to prevent evasive attacks will continue to miss these growing threats. To counter HEAT attacks, considering technology that provides enhanced browser visibility and dynamic security controls empowers security teams to detect and protect against suspicious behaviors and malicious website intent in real-time. Addressing these key elements will allow organizations to prevent the growing number of HEAT attacks that are slipping past existing security solutions.

Blog Category

Menlo Security

menlo security logo
linkedin logotwitter/x logofacebook logoSocial share icon via eMail